# 

<u>Haoyi Zeng</u>

Thomas Bourgeat









### Some Scary News



## Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs



## Intel, ARM and AMD chip scare: What you need to know

4 January 2018 Share < Save +



**IPUTER CHIP FLAWS IMPACT BILLIONS OF DEVI** 

**ELOPING STORY** 

### Spectre Attacks





Timing side channels
\_\_\_

Speculative execution

### A Spectre Vulnerable program

Cannot access A[x] when x is out of bounds?

size of array A

access "secret" A[x]

```
if (x < size) {
  tmp = A[x]
  out = B[tmp]
}</pre>
```

```
(x < size) == true X
```





## How to formalize Spectre vulnerabilities?

### How to formalize Spectre vulnerabilities?

Program  $\pi$  is speculative non-interference (SNI):  $\forall \sigma, \sigma'$ : states,

$$\llbracket \pi \rrbracket^{seq}(\sigma) = \llbracket \pi \rrbracket^{seq}(\sigma') \implies \llbracket \pi \rrbracket^{spec}(\sigma) = \llbracket \pi \rrbracket^{spec}(\sigma')$$

Compare leakage without and with speculation

### Speculative Execution

LOAD
$$\frac{p(a(\mathbf{pc})) = \mathbf{load} \ x, e \qquad x \neq \mathbf{pc} \qquad n = (e)(a)}{\langle m, a \rangle \rightarrow \langle m, a[\mathbf{pc} \mapsto a(\mathbf{pc}) + 1, x \mapsto m(n)] \rangle}$$

$$\llbracket \pi 
Vert^{seq}(\sigma)$$
 Sequence execution with events

LOAD
$$p(a(\mathbf{pc})) = \mathbf{load} \ x, e \qquad \langle m, a \rangle \rightarrow \langle m', a' \rangle$$

$$\langle m, a \rangle \xrightarrow{\mathbf{load} \ (|e|)(a)} \overset{\mathbf{seq}}{\mathsf{ct}} \langle m', a' \rangle$$

$$\llbracket \pi \rrbracket^{spec}(\sigma)$$
 Speculative execution with events  $\stackrel{*}{(\sigma)}$  Branch predictor



BRANCH

$$p(\sigma(\mathbf{pc})) = \mathbf{beqz} \ x, \ell \quad \ell_{correct} = \begin{cases} \ell & \text{if } \sigma(x) = 0 \\ \sigma(\mathbf{pc}) + 1 & \text{otherwise} \end{cases} \quad \ell_{mispred} \in \{\ell, \sigma(\mathbf{pc}) + 1\} \setminus \ell_{correct} \quad \omega_{mispred} = \begin{cases} \mathbf{w} & \text{if } \omega = \infty \\ \omega & \text{otherwise} \end{cases}$$
$$\langle \sigma, \omega + 1 \rangle \cdot s \xrightarrow{\mathbf{pc} \ \ell_{mispred}} \underset{\mathbf{ct}}{\overset{\mathbf{spec}}{\smile}} \langle \sigma[\mathbf{pc} \mapsto \ell_{mispred}], \omega_{mispred} \rangle \cdot \langle \sigma[\mathbf{pc} \mapsto \ell_{correct}], \omega \rangle \cdot s$$

```
if (x < size) {
                                                                                                   \sigma_1 = A + x \mapsto a
   tmp = A[x]
                                                                                                   \sigma_2 = A + x \mapsto b
  out = B[tmp]
                                                \|\pi\|^{seq}(\sigma_1) = \operatorname{start} \cdot \operatorname{jump} \operatorname{end}
                                                \|\pi\|^{seq}(\sigma_2) = \operatorname{start} \cdot \operatorname{jump} \operatorname{end}
                     \|\pi\|^{spec}(\sigma_1) = \operatorname{start} \cdot \operatorname{load}(A + x) \cdot \operatorname{load}(a) \cdot \operatorname{jump} \operatorname{end}
                     [\pi]^{spec}(\sigma_2) = \operatorname{start} \cdot \operatorname{load}(A + x) \cdot \operatorname{load}(b) \cdot \operatorname{jump} \operatorname{end}(a)
```

# Demo

Spectre-v1.lean

### Speculative Execution

But that's not true....



There can be a huge gap between the hardware and the model



# Develop an abstract model of hardware leakage

# Key idea



$$\llbracket \pi \rrbracket^{seq}(\sigma) = \llbracket \pi \rrbracket^{seq}(\sigma') \implies \llbracket \pi \rrbracket^{spec}(\sigma) = \llbracket \pi \rrbracket^{spec}(\sigma')$$

$$\llbracket \pi \rrbracket (\sigma) = \llbracket \pi \rrbracket (\sigma') \implies (\pi)(\sigma) = (\pi)(\sigma')$$

M. Guarnieri, B. Köpf, J. Reineke, and P. Vila Hardware-Software Contracts for Secure Speculation S&P (Oakland) 2021 (Best Paper Award 🖔)

Hardware Semantics

### **Hardware Software Contracts**

# Using Hardware-Software Contracts From software side

Automatic detection of speculative information flows

$$\llbracket \pi \rrbracket^{seq}(\sigma) = \llbracket \pi \rrbracket^{seq}(\sigma') \implies \llbracket \pi \rrbracket(\sigma) = \llbracket \pi \rrbracket(\sigma')$$

#### 

### Spectre attacks

p

#### start:

%cond  $\leftarrow \psi(\%x, \%size)$  br %cond, then, end

#### then:

load %tmp,  $\psi$ (%A, %x) load %out,  $\psi$ (%B, %tmp) br end

# $\varphi_p$

```
flow(\psi(%x, %size))

- start(0)

block(then)

load(\psi(%A, %x))

load(\psi(%B, read(mem, \psi(%A, %x))))

block(end)

- rollback(0)

block(end)
```





### KAWA: An Abstract Language for Scalable and Variable Detection of Spectre Vulnerabilities

Zheyuan Wu Saarland University Saarbrücken, Germany Haoyi Zeng
Saarland University
Saarbrücken, Germany

Aaron Bies
Saarland University
Saarbrücken, Germany
bies@cs.uni-saarland.de

#### **Abstract**

Since the discovery of Spectre attacks, various detection methods for speculative vulnerabilities have been developed. Sound static analyses based on symbolic execution give precise results but lack scalability, while pattern-based analyses can accommodate large code bases but may be unsound and require manually crafted patterns for each microarchitecture.

We introduce KAWA, an abstract language designed to model control and data flows, allowing efficient analysis of Spectre vulnerabilities. KAWA's abstract nature also enables interpretation as schemata to capture entire classes of

chitectural state, *e.g.*, in the cache state. In the prototypic Spectre v1 example below, arbitrary out-of-bounds arra accesses to array A can be triggered if the attacker contro the input x and trains the branch predictor to mispredict the condition of the if-statement.

**Example 1.1.** The prototypical Spectre-v1 example [7]: if (x < size) out = B[A[x] \* 512];

To address Spectre and related vulnerabilities, various countermeasures have been proposed, both at hardware [1 12, 18–20] and software level [4, 8–10, 15, 17, 21]. This works were as a first of the proposed variables and the proposed variables.

### Let's do everything using proof assistants



One more reason:

headConf(cr(corr<sub>cr,hr</sub>(i - 1)(|buf<sub>i-1</sub>|)))[**pc**  $\mapsto \ell$ ] because headConf(cr(corr<sub>cr,hr</sub>(i - 1)(|ln(hr(i - 1)))))(x) = 0. From  $\langle m_{i-1}, a_{i-1} \rangle \uplus buf_{i-1} = headConf(cr(corr_{cr,hr}(i - 1)(|buf_{i-1}|)))$ , we therefore get headConf(rb<sub>cr</sub>(corr<sub>cr,hr</sub>(i - 1)(|ln(hr(i - 1))))) =  $\langle m_{i-1}, a_{i-1} \rangle \uplus buf_{i-1}[\mathbf{pc} \mapsto \ell]$ . By leveraging  $\cdot \uplus \cdot \cdot$ 's definition and  $\ell = \ell'$ , we get headConf(rb<sub>cr</sub>(corr<sub>cr,hr</sub>(i - 1)(|ln(hr(i - 1))))) =  $\langle m_{i-1}, a_{i-1} \rangle \uplus (buf_{i-1} \cdot \mathbf{pc} \leftarrow \ell' @apl(a_{i-1}, buf_{i-1})(\mathbf{pc}))$ . From  $buf_i = \mathbf{pc} \leftarrow \ell' @apl(a_{i-1}, buf_{i-1})(\mathbf{pc}) \cdot buf_{i-1}$ ,  $a_i = a_{i-1}$ , and  $m_i = m_{i-1}$ , we get headConf(rb<sub>cr</sub>(corr<sub>cr,hr</sub>(i - 1)(|ln(hr(i - 1))))) =  $\langle m_i, a_i \rangle \uplus buf_i$ . Finally, from  $corr_{cr,hr}(i) = corr_{cr,hr}(i - 1)[ln(hr(i - 1)) + 1 \mapsto rb_{cr}(corr_{cr,hr}(i - 1)(|ln(hr(i - 1))))]$ ,  $|buf_i| = ln(hr(i - 1)) + 1$ ,  $buf = buf_i$ , we get  $\langle m_i, a_i \rangle \uplus buf = headConf(cr(corr_{cr,hr}(i)(|buf|)))$ . (ii): We need to show #mispr( $\langle m_i, a_i \rangle, buf) + 1 \ge |cr(corr_{cr,hr}(i)(|buf|))|$ . From (H.3.a.ii) and  $buf_{i-1} \in prefixes(buf_{i-1})$ , we have #mispr( $\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1}) + 1 \ge |cr(corr_{cr,hr}(i - 1)(|buf_{i-1}|))|$ . From  $buf = prefixes(buf_{i-1})$ , we have #mispr( $\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1}) + 1 \ge |cr(corr_{cr,hr}(i - 1)(|buf_{i-1}|))|$ . From  $buf = prefixes(buf_{i-1})$ , we have #mispr( $\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1}) + 1 \ge |cr(corr_{cr,hr}(i - 1)(|buf_{i-1}|))|$ . From  $buf = prefixes(buf_{i-1})$ 

(ii): We need to show  $\#mispr(\langle m_i, a_i \rangle, buf) + 1 \ge |\operatorname{cr}(corr_{\operatorname{cr,hr}}(i)(|buf|))|$ . From (H.3.a.ii) and  $buf_{i-1} \in prefixes(buf_{i-1})$ , we have  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1}) + 1 \ge |\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|))|$ . From  $buf = \operatorname{pc} \leftarrow \ell'@apl(a_{i-1}, buf_{i-1})(\operatorname{pc}) \cdot buf_{i-1}$  and  $headConf(\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|n(\operatorname{hr}(i-1)))))(x) = 0$ , we get that  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, buf) = \#mispr(\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1})$ . From (2) and  $p(apl(a_{i-1}, buf_{i-1})(\operatorname{pc})) = \operatorname{beqz} x, \ell$ , we get that  $\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|) + 1)$  is obtained by executing the BRANCH rule of  $\operatorname{cr}(\operatorname{corr}_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|))$ . From this and Lemma [2]  $|rb_{\operatorname{cr}}(corr_{\operatorname{cr,hr}}(i-1)(|n(\operatorname{hr}(i-1))))| = |\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|))|$ . Therefore, we get  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, buf) + 1 \ge |rb_{\operatorname{cr}}(corr_{\operatorname{cr,hr}}(i-1)(|n(\operatorname{hr}(i-1))) + 1) + 1 \mapsto rb_{\operatorname{cr}}(corr_{\operatorname{cr,hr}}(i-1)(|n(\operatorname{hr}(i-1))))|$ . Finally, from  $a_i = a_{i-1}$ ,  $m_i = m_{i-1}$ ,  $corr_{\operatorname{cr,hr}}(i) = corr_{\operatorname{cr,hr}}(i-1)[|n(\operatorname{hr}(i-1)) + 1 \mapsto rb_{\operatorname{cr}}(corr_{\operatorname{cr,hr}}(i-1)(|n(\operatorname{hr}(i-1))))|$ , and  $|buf| = |n(\operatorname{hr}(i-1)) + 1$ , we get  $\#mispr(\langle m_i, a_i \rangle, buf) + 1 \ge |\operatorname{cr}(corr_{\operatorname{cr,hr}}(i)(|buf|))|$ .

(iii): We need to show  $\#mispr(\langle m_i, a_i \rangle, buf) = 0 \leftrightarrow headWndw(\operatorname{cr}(corr_{\operatorname{cr,hr}}(i)(|buf|))) = \infty$ . From (H.3.a.iii) and  $buf_{i-1} \in prefixes(buf_{i-1})$ , we have  $\#mispr(\langle m_{i-1}, a_{i-1} \rangle, buf_{i-1}) = 0 \leftrightarrow headWndw(\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|))) = \infty$ . From (2) and  $p(apl(a_{i-1}, buf_{i-1})(\operatorname{pc})) = \operatorname{beqz} x, \ell$ , we get that  $\operatorname{cr}(corr_{\operatorname{cr,hr}}(i-1)(|buf_{i-1}|) + 1)$  is obtained by executing the Branch rule

~80 pages

# Using Hardware-Software Contracts From hardware side

$$\llbracket \pi \rrbracket (\sigma) = \llbracket \pi \rrbracket (\sigma') \implies (\!\!\lceil \pi \!\!\rceil) (\sigma) = (\!\!\lceil \pi \!\!\rceil) (\sigma')$$

#### Given any

| Component                                       | States                              | Initial state                                   | Functions                                                                                                                                                               |                                                                                                                                                                                          |
|-------------------------------------------------|-------------------------------------|-------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Cache<br>Branch predictor<br>Pipeline scheduler | CacheStates<br>BpStates<br>ScStates | $egin{array}{c} cs_0 \ bp_0 \ sc_0 \end{array}$ | $access: CacheStates \times Vals \rightarrow \{ \texttt{Hit}, \texttt{Miss} \}$<br>$predict: BpStates \times Vals \rightarrow Vals$<br>$next: ScStates \rightarrow Dir$ | update : CacheStates $\times$ Vals $\rightarrow$ CacheStates update : BpStates $\times$ Vals $\times$ Vals $\rightarrow$ BpStates update : ScStates $\times$ Bufs $\rightarrow$ ScStates |







EXECUTE-BRANCH-COMMIT 
$$|buf| = i - 1 \quad a' = apl(buf, a) \quad \text{spbarr}@T' \not\in buf$$
 
$$\ell_0 \neq \varepsilon \quad p(\ell_0) = \text{beqz } x, \ell'' \quad (a'(x) = 0 \land \ell = \ell'') \lor (a'(x) \in Vals \setminus \{0, \bot\} \land \ell = \ell_0 + 1) \quad bp' = update(bp, \ell_0, \ell)$$
 
$$\langle m, a, buf \cdot \mathbf{pc} \leftarrow \ell@\ell_0 \cdot buf', cs, bp \rangle \stackrel{\text{execute } i}{\Longrightarrow} \langle m, a, buf \cdot \mathbf{pc} \leftarrow \ell@\varepsilon \cdot buf', cs, bp' \rangle$$
 EXECUTE-BRANCH-ROLLBACK 
$$|buf| = i - 1 \quad a' = apl(buf, a) \quad \text{spbarr}@T' \not\in buf \quad \ell_0 \neq \varepsilon \quad p(\ell_0) = \text{beqz } x, \ell''$$
 
$$(a'(x) = 0 \land \ell \neq \ell'') \lor (a'(x) \in Vals \setminus \{0, \bot\} \land \ell \neq \ell_0 + 1) \quad \ell' \in \{\ell'', \ell_0 + 1\} \setminus \{\ell\} \quad bp' = update(bp, \ell_0, \ell')$$
 
$$\langle m, a, buf \cdot \mathbf{pc} \leftarrow \ell@\ell_0 \cdot buf', cs, bp \rangle \stackrel{\text{execute } i}{\Longrightarrow} \langle m, a, buf \cdot \mathbf{pc} \leftarrow \ell'@\varepsilon, cs, bp' \rangle$$

Definition (Out-of-order scheduler)

 $S_{000}$  := fetch·fetch·execute·fetch·execute·retire···

Definition (Sequence scheduler)

 $S_{\text{sea}} := \text{fetch-execute-retire-fetch-execute-retire-}$ 

### Formalizing Hardware-Software Contracts

### Goal

Theorem 1 (Contract Satisfaction 1):

For any hardware model  $(\pi)$  instantiated by arbitrary cache, branch predictor, and scheduler, we have:

**Conclusion:** For any program  $\pi$ , if Spectector/Kawa shows that  $\pi$  is SNI, then  $\pi$  is secure against side-channel attacks on this machine model

#### Fact 1 (Contract Satisfaction 1):

For any hardware model (  $\cdot$  ) instantiated by arbitrary cache, branch predictor. If the scheduler is  $S_{\rm seq}$  , we have:

Because the scheduler is boring

### **Proof by induction**

on contracts step

with an invariant



### **Future Work**



- 1. Challenge of contract satisfaction proof
- 2. A program logic for proving SNI

(Relational Hoare Logic, Hyper Hoare Logic)

### Full stack verification

- 1. More realistic examples (Model Checking + Proof Assistant)
- 2. Secure compilation